Security Now 194: Listener Feedback 65

News & Errata

How SSL works will be next weeks episode unless something major happens in the security world

02:55 - 03:05

The podcasts star date is -314327.28

03:20 - 04:00

Critical Firefox updates have been released

04:01 - 05:11

IE 8 has pushed through Windows Update

05:12 - 06:22

A critical Blackberry PDF vulnerability has been found.

Users should update

Spinrite Question & Story

06:23 - 14:20 (Jose Cerna, San Diego)

Question: Can you run Spinrite on a solid state drive (SSD) ?

Answer: Steve can see no benefit from running Spinrite on a SSD

He uses Spinrite on computers when he fixes them for friends. Afterwards he makes them buy a copy which he puts on a USB memory stick for them to use and they are all happy.

Questions & Answers

16:55 - 01:14:44

1) 16:55 - 23:26 Elaine (Unknown)

Question: What does it mean when you say "Conficker generates domain names" don't they then have to pay to register these domain names, is Conficker costing someone half a million dollars a day?

Answer: Conficker generates 50,000 domains but then only goes to 500 of them. To stop Conficker contacting the domain good guys need to register 50,000 domains but the creator only needs to register one of them which can supply Conficker with an update. Also only one copy of Conficker needs to reach the domain and it can then update the rest with its P2P technology.

2) 23:27 - 29:10 Doug Curry (Houston, Texas)

Question: If you know the public key and encrypting algorithm, couldn't you put some set of known data through the algorithm, using the public key, obtaining the encrypted output, attempt to decrypt that output with the same algorithm and a sequence of successive potential private keys - there's the issue, we'll get to that - comparing the encrypted output to the original, in other words a brute force attack against this public key? And given that a brute force attack would require massive amounts of computing power, could you not use a distributed computing methodology like SETI@home in order to get a large number of computers all working on small sections of the problem simultaneously to come up with a solution in a reasonable amount of time?

Answer: Symmetric key uses 128 or 256 bit encryption. Even with 128 bit keys you couldn't brute force the key due to lack of computing power. Public key encryption is a lot slower than than symmetric and uses much longer keys. Also the public key is only used to encrypt the symmetric key. There are two many possible keys and it would take too long.

3) 29:11 - 31:12 Russell Gordon (Houston, Texas)

Listener Comment: I just paused the Security Now! 192 I was listening to so I could write and thank Steve for his response to Phil in Montreal. I have worked in the process automation industry for 19 years, programming PLCs - Programmable Logic Controllers - and designing the operator screens called HMIs - the Human Machine Interface - that allow the operator to interface with the control system. While the PLCs are not running on Windows, the software to program them is. And the HMIs are usually industrialized PCs running Windows. Of course.

I recently had to chase the Conficker worm out of a brewery because it was running rampant on their HMIs, which are unfortunately all connected to the corporate network. We also have Windows PCs used in the control systems running pipelines, and chemical and pharmaceutical plants. Luckily these are not connected to the Internet like the brewery. I guess a brewery is not considered essential technology in the same way that pipelines and pharmaceuticals are. Luckily these are not, as I said, connected. But all it takes is a rogue laptop to bring something into the network. Of course. Thank you, Steve, for acknowledging the current state of Windows as it is. I, too, understand how it got this way by supporting backward compatibility. But I also know how much better it could be.

Steve's Comment: This is another persons experience of using Windows.

4)31:13 - 34:07 Paul Rudy (Astoria, Queens)

Listener Comment: He went to withdraw money from an ATM and saw it was on a Windows XP login screen.

Steve's Comment: This is common unfortunately and shouldn't be the case.

5) 34:08 - 41:08 Mark Davis (Sandston, Virginia)

Listener Comment: Most issues with infected computers come from the users themselves. That's what I take issue with. I find they're either too lazy with patching the machines, or they turn off security in their software, or they never read the manual or instructions about how to secure their computer equipment. The moment software starts making people do the things they should is when they start complaining the program's not user-friendly, and why do I have to click three times to tell a program to do something?

We all know that software has bugs in it and there are people out there who will spend time looking to find those bugs. The reason certain software gets targeted is because it has most of the market. And when someone else has more of the market we'll hear about how bad their software is when the bad people decide it's worth targeting.

Steve's Comment: Steve's issue is with the misapplication of Windows and understands secure software is difficult to create.

6) 41:09 - 46:44 Bill (Walnut Creek)

Listener Comment: teve, I see we're in agreement with just about how steamy a pile Windows is. I've used many operating systems - Windows, Mac OS 9, Solaris, Red Hat Linux, HP/UX, IRIX, AIX, Be OS, et cetera. If I have any criticism of my past work on technology, it was most of the industry completely missed what NeXT was doing. Think about this. It has been ported to these CPU architectures: the Motorola 68030, Intel/PPC, Intel/ARM. All of these transitions were completely seamless. It is a tribute to the flexibility of the microkernel architecture that NeXT has maintained despite some cost in performance. Just imagine if Microsoft had to move Windows to a new CPU architecture.

The big problem is that Microsoft has packed almost everything into the kernel space to give them the performance advantage in the '90s. But now that rooster is coming home. I really think Apple has an edge on everyone else thanks to the heritage of NeXT, that is now the heart of OS X. Time will tell, but so far so good. The developer environment is second to none. It's a nice hybrid of proprietary and open source software. I could go on, but I'm sure you either already know or can research it yourself.

Steve's Comment: The idea with a microkernel is, as it sounds, you have a very small trusted environment that provides the minimum set of services, so literally a very small core. The beauty of that is that it's much easier to design a trusted, privileged, high-security environment which is small than it is to do something like Windows in that kind of environment. And then the idea then is that everything else that the operating system needs is an external non-trusted module which uses that set of core services. So things like memory allocation and memory management, process creation and thread creation, the scheduler that jumps the processor around among all the processes that are running, you know, those fundamental services of the operating system are the microkernel. And then everything else is - and that's trusted. That has to work. That has to be bulletproof and provably, knowably secure.

But then you design the system so that all the other things that the OS provides, even though they are traditional operating system services, they're provided as sort of add-ons outside of this microkernel. And because they're outside, problems in them cannot affect the rest of the system. So there's a much better sense of containment. And the bloat that all of these systems end up acquiring over time, the bloat is not kernel bloat, it's user space bloat. It's outside of the kernel. So if there's mistakes in the bloat, as there inevitably is, they can't hurt you nearly to the degree that mistakes in a bloated kernel will.

7) 46:45 - 49:40 Andy (Latvia) & Peter Katt (Syracuse)

Question: How hard is it to trace the person who registered the domains checked by Conficker?

Answer: Its very easy to completely anomalously register a domain and forge an identity.

8) 49:41 - 52:16 Bill Everson (Green Bay, Wisconsin)

Listener Comment: The Iron Key now supports Verisigns one time passwords.

Steve's Comment: Verisign has opened up the SDK and there are now applications for the iPhone and various other phones.

9) 52:17 - 54:55 Bill Gearhiser (Boca Raton, Florida)

Question: How do you know if you are infected with Conficker?

Answer: Conficker blocks access to security sites such as Symantec. You can also run the MSRT but ensure you have the latest version as Conficker blocks Windows updates.

Answer: Until version E Conficker did nothing. Version E installs scareware (Spyware Protect 2009) and / or the Waledac spam botnet, also it restores the original vulnerability where it looks for more machines to infect by exploiting computers without the patch.

11) 01:00:48 - 01:04:43 Barry (Minnesota)

Listener Comment: As the CISO of a large state agency, I have the privilege of working with many very smart staff and colleagues. My agency is involved in the healthcare and EHR world, and I share your concerns about the push toward online medical records and the associated security issues. However, there are clear medical benefits to the consumer, and that's the main driver. You and Leo answered your own questions within a minute or two of your statement. However, you didn't retract that statement.

The push to move a product or service to market and accelerated development timelines drive so much that we in the security industry do, whether in government or business. In the government sector we're also subject to the whims of elected officials, perhaps not unlike those of corporate executives. It's the rare organization that truly builds security in, although we're all united in that quest. This is a common theme in our industry, and one you've discussed at length on your fine show. I suspect we'll find that the compromised Pentagon computers were Internet connected because of a requirement to make them accessible to external contractors. The breach itself may have been caused either by compromising the contractor end point, or the remote access process, perhaps via social engineering or a weak password or a patch that wasn't applied because of a possible incompatibility with the development code.

All of those things happen. I also suspect that appropriate security personnel warned about that possibility but were overruled. So please recognize that those of us responsible for security of government systems, assets, and data are doing all we can, with minimal resources and budgets, to secure that data and maintain citizen confidence

Steve's Comment: I really, really apologize. I know that I said that because Barry was not the only person to write. I heard from many government people who said, how could you say that all government people are stupid? Or, I mean, I didn't use that word. But I'm - and I'm thinking, how could I have said that? And I know exactly what I was thinking at the time. And I was thinking about the legislators who I see interviewed that are just clueless about this stuff. I mean, I absolutely meant no slight to the actual people like Barry that are on the ground, as they say now, doing this work. Of course not. It was the people, frankly legislators, who I just haven't seen one that understands this. So, and I know even they, too, are dealing with a bureaucracy that I can't even comprehend, that would just make me shoot myself if I had to deal with that on a daily basis. So they're doing things I can't do, either, in a different way. So anyway, I have the greatest respect for government employees who are working as hard as they can, like Barry, and facing, as he says, resource constraints that are probably much tighter even than the corporate world has. So I certainly apologize for having given that impression. It was not what I meant.

12) 01:04:44 - 01:14:44 Sam (Alsager, U.K.)

Listener Comment: You said in a recent Security Now! episode that Visual Basic, quote, "allows monkeys to program." You know, these things happen. I am a computing student and a technology enthusiast. And I feel that's a bit harsh for someone like me or someone in a similar position. I know you started programming at my age, 16. But times have changed a lot. I've grown up very literate with computers. However, programming is very different. At times I've racked my brain for hours to get a program to do something or have to play around with variables or data types. And so I feel it's a bit harsh to assume that anyone, even monkeys, can program. There's been no evidence that monkeys can program, by the way.

When I started programming with limited help, and with the web being clogged up with useless crap doesn't help a lot, either. Not everybody is an amazing Assembly language programmer like you are, although we would like to be. And I can well understand that, as one further increases their knowledge of computers, we tend to grow farther away from the less technically literate. And I understand less why they may not know something or understand something. So I end up by saying, I understand where you're coming from, but please try to be a bit more understanding of the people just beginning with this stuff. This doesn't change how I feel about the show. I just wanted a shout-out for the people who are getting started or a little less technical. Thanks a bunch for yours and Leo's hard work.

Steve's Comment: Steve said monkeys could program Visual Basic not all Visual Basic programmers are monkeys.

Notable Quotes

Steve: Right. I mean, because I'm not controlling a nuclear reactor with Windows.

Leo: Oh, I hate to think that that's happening.

Steve: Oh, yeah, well...

Leo: But I bet it is.

Steve: Let's hope not.

Steve: There is a whole separate class of industrial-strength operating systems that consumers have never used because they don't have all the fluff on them. They don't do all the things that we want. They may not even have network connectivity like we're used to. But they are what you want running your ATM at your local bank and the nuclear reactor in the next county. That's what you want, not Windows.